Malware, Threat Management

Threat actors use payment skimmer to attack more than 500 e-commerce stores

A chip and pin debit console is seen February, 23, 2006, in Manchester, England. (Photo Illustration by Christopher Furlong/Getty Images)

Researchers earlier this week detected a breach of more than 500 online stores running the outdated Magento 1 e-commerce platform.

In a blog post, Sansec researchers said all the stores were the victim of a payment skimmer loaded from the domain. The researchers said the attackers used a “clever combination’ of an SQL injection and PHP object injection attack to install malware and control the Magento store.

Sancec said it discovered the issue last month when its global crawler found 374 e-commerce stores infected with the same strain of malware.

Running an e-commerce website on an outdated and unpatched platform is like driving a car without a seat belt on, said Ron Bradley, vice president at Shared Assessments. Bradley said Magento and other e-commerce platforms have a long history of vulnerabilities.

“With NaturalFreshMall being the common denominator of this attack, one would have to wonder how they were able to pass PCI audits of their systems which surely would have called for a vulnerability scan and should have identified this issue,” Bradley said. “This is a prime example why it’s so important to vet both your downstream and upstream partners as part of any good third-party risk management program. Ask the tough questions about patch management and vulnerability management. Insist on getting documentation to support vendor claims. Tell them to buckle up for everyone’s safety.”

This new variant of a Magecart attack really shows that hackers are becoming more sophisticated, ingenious, and clever as e-commerce booms, said Damon Ebanks, vice president of marketing at Veridium. Ebanks said just last month, Sancec also discovered that major e-commerce hosting platforms such as Shopify and WooCommerce were also under threat from the same kind of attacks. 

"There’s not much the customers can do about this, to be honest,” Ebanks said. “As they’re about to checkout, the attackers lead them to a payment processing page which looks nothing short of authentic. After they’re done entering the details, the page often shows an error and they’re redirected back to the official payment processing page where they re-enter their details. By then, the attackers already have all the data they could need.”

Jason Kent, hacker in residence at Cequence Security, offered the following comment that sums up the situation:

“Out of support and no patches, check. Exploitable plugin architecture, check. Malware distributed, check and mate. This seems like a very obvious thing, but most organizations that have these types of occurrences often aren’t focused on security — but this is a great example of why everyone needs to be focused on security.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.